Hash-based password authentication protocol against phishing and pharming attacks

Transcription

1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING XX, XXX-XXX (201X) Hash-based password authentication protocol against phishing and pharming attacks IKSU KIM 1, YONGYUN CHO 2 1 School of Computer Science and Engineering Soongsil University 369 Sangdo-Ro, Dongjak-Gu, Seoul , Korea 2 Information and Communication Engineering Sunchon National University Suncheon, Jeonnam , Korea Until now, although many researchers proposed a variety of authentication protocol to verify the identity of the clients, most of these protocols are inefficient and ineffective. Gouda et al. proposed an anti-phishing single password protocol, but it is vulnerable to pharming attacks. In this paper, we show that the protocol is insecure, and propose a hash-based password authentication protocol against phishing and pharming attacks. In the proposed protocol, the authentication tickets passed between clients and servers are secure because they are hash values which can be verified only by clients and servers. The authentication ticket is used only once, which ensures that the proposed protocol is secure against a variety of attacks such as replay, man-in-the-middle, phishing, and pharming. Because the proposed authentication protocol does not require encryption keys during the authentication phase, it is suitable for wireless and mobile communication systems. Keywords: authentication protocol, phishing attack, pharming attack, web security, hash function 1. INTRODUCTION In most server-client models, clients log on to a server using an ID and password. However, authentication based on passwords is vulnerable to a variety of attacks, including eavesdropping, man-in-the-middle, and replay. In addition, phishing incidents have been increasing since the ebay phishing incident that occurred in Phishing is a malicious technique that employs social engineering and technical fraud to steal sensitive information and financial account credentials from clients. More than 5 million U.S. clients lost money to phishing attacks in the 12 months ending September 2008, and phishing victims lost an average of $351 per incident [1]. Table 1 shows the summarized phishing statistics from Phishing Activity Trends Report which Anti-Phishing Working Group (APWG) released in April 2012 [2]. Unique phishing reports rose to an annual high of 32,979 in December 2011, and unique phishing websites detected was 48,410. In a phishing attack, an attacker first sets up a fake server that mimics a well-known, legitimate server. The attacker then sends a large number of spoofed s to random clients. If the client receiving the clicks on the hyperlinks in the message, they are Received Fexxxx 1x, 20xx; revised Nxxxx 2, 2009 & March 19, 20xx; accepted Jxxxx 9, 20xx. Communicated by Jxxx. * This work was supported by xxxxxx. 1

2 2 IKSU KIM, YONGYUN CHO redirected to the fake server instead of the legitimate server. The client submits his or her ID and password in order to log on to the fake server, believing it to be the genuine website. As a result, the attacker is able to steal IDs and passwords, which are then used to conduct online transactions. Table 1. Statistical highlights for 2nd Half, Oct. Nov. Dec. Number of unique phishing reports (campaigns) received by APWG from consumers 19,606 25,685 32,979 Number of unique phishing web sites detected 36,733 44,030 48,410 Number of brands hijacked by phishing campaigns Country hosting the most phishing websites USA USA USA Contain some form of target name in URL 66.61% 55.72% 56.94% No hostname; just IP address 1.37% 1.25% 0.92% Percentage of sites not using port % 0.28% 0.64% Most browsers now use the URL filtering method to protect clients from phishing attacks. This method detects phishing servers by using a blacklist file, which lists the URLs of servers reported as phishing servers. However, the URL filtering method cannot detect new phishing sites because it is based on information collected in advance. Therefore, research has been conducted into anti-phishing protocols and services [3, 4, 5, 6]. However, these protocols and services need encryption key operations or an instant messaging service during the authentication phase and are vulnerable to pharming attacks. Gouda et al. proposed an anti-phishing single password protocol [3]. However, this protocol is vulnerable to pharming attacks. In this paper, we show that the protocol proposed by Gouda et al. is insecure, and propose a hash-based password authentication protocol against phishing and pharming attacks. In the proposed protocol, a client first sends an ID to a server. The server then generates and sends an authentication ticket to the client. Only if the server is successfully verified by the client, the client generates and sends another authentication ticket to the server. The client-server authentication tickets can be verified only by the legitimate client and server. Therefore, the proposed protocol is secure against a variety of attacks such as replay, man-in-the-middle, phishing, and pharming, on ubiquitous networks. Moreover, the proposed authentication protocol is suitable for wireless and mobile communication systems because it does not require encryption keys during the authentication phase. The rest of this paper is organized as follows. In Section 2, we explore the evolution of phishing and introduce previous work. Section 3 provides an analysis of the vulnerability of the single password protocol (SPP) proposed by Gouda et al., and describes the proposed protocol. Section 4 analyzes the security of the proposed protocol, and Section 5 concludes this paper.

3 HASH-BASED PASSWORD AUTHENTICATION PROTOCOL AGAINST PHISHING AND PHARMING 3 ATTACKS 2. RELATED WORKS 2.1 Evolution of Phishing In phishing attacks, after an attacker sets up a fake server that mimics a well-known legitimate server, he sends s written in HTML to random clients, as shown in Fig. 1. Fig. 1. Phishing . If the recipient of the clicks the hyperlink in the message, they are redirected to a fake server instead of the TrustedLand server. The hyperlink in the is actually as follows: <a href=" The recipient believes that they have been redirected to the TrustedLand server. Therefore, they willingly submit their ID and password to log on to the fake server. Thus the submitted passwords are exposed to the attacker. If the client notices the address of the fake server in the address bar in the browser, they could perceive the phishing attack because the address is not the address of the legitimate server. Sometimes attackers register a domain name similar to that of a legitimate server. For example, if we assume that the domain name of a legitimate server is an attacker might register a domain name such as which uses the number 1 instead of the letter l. This would make it much more difficult to notice that the address is fake, and that it is a phishing attacks. In the case of a browser spoofing attack, it is much more difficult for clients to detect phishing attacks by looking at the address of the website [7]. In this type of attack, the attacker hides the address bar and places a textbox at the top of the webpage that

4 4 IKSU KIM, YONGYUN CHO looks like the address bar. The textbox then contains the address of the legitimate server. The client might not notice that the address bar looks slightly different, and will therefore not perceive the browser spoofing attack. For a successful browser spoofing attack, the browser must be able to create a new pop-up window by calling the method window.open(). Clients can prevent browser spoofing attacks by enabling the pop-up blocking feature provided by most reputable web browsers. Pharming attacks can be conducted by exploiting vulnerability in DNS server software, which is a more advanced type of attack than phishing. Here, attackers alter the IP address information stored in a DNS server so that even when clients input the correct domain name of a legitimate server in their web browser, they are redirected to a fake server. In this case, the address in the address bar in the browser shows the correct address of the legitimate server, which makes it very difficult to perceive the pharming attack. 2.2 Previous Work There are many anti-phishing security solutions that use browser extensions and toolbars in order to reduce the risks of phishing attacks [8, 9, 10, 11, 12, 13]. Web browsers such as Internet Explorer and Firefox support browser extensions and toolbar functions that developers can use to implement anti-phishing tools. Microsoft Internet Explorer provides a SmartScreen Filter that helps detect phishing servers. Using a list of reported phishing servers, the SmartScreen Filter checks whether clients are visiting a phishing server [8]. If clients visit a phishing server, the SmartScreen Filter displays a warning message. However, the SmartScreen Filter cannot detect phishing servers other than those that have already been reported. For this reason, Sharifi et al. proposed a blacklist generator that maintains an up-to-date blacklist of phishing servers [14]. The evaluation results of the technique have shown an accuracy of 91% in detecting legitimate pages and 100% in detecting phishing servers. Miyamoto et al. proposed a filtering algorithm called SPS [15] that protects clients from phishing attacks by removing part of the malicious content that traps clients into entering personal information. In SPS, URLs on HTML documents are checked by a URL filtering component. If a URL is suspicious, the HTTP response sanitizing component removes any input forms from the HTML documents. However, SPS is vulnerable to pharming attacks. Chou et al. proposed SpoofGuard [16] that examines the domain name, images, and links on HTML documents to detect phishing attacks. SpoofGuard provides traffic lights (green, yellow, or red) in a toolbar indicating whether the HTML documents are spoofed. SpoofGuard displays a warning if client opens a new account with the same ID and password. Ross et al. proposed PwdHash [17], which stores the hash value of a client s password and server domain name rather than storing the client s password in a password file. Therefore, although a client might use the same password on several servers, the verification information stored on each server is different. PwdHash makes it more difficult for attackers to find passwords through dictionary and brute-force attacks, but it is also vulnerable to pharming attacks. Sandirigama et al. proposed a simple and secure password authentication protocol (SAS) [18]. However, Lin et al. showed that SAS was vulnerable to a message replay

5 HASH-BASED PASSWORD AUTHENTICATION PROTOCOL AGAINST PHISHING AND PHARMING 5 ATTACKS attack [19]. Huang et al. proposed an anti-phishing authentication service with one-time passwords instead of fixed passwords [4]. This service requires instant messaging services, which means that clients must install at least one instant messaging client. A one-time password authentication scheme proposed by Kuo and Lee is vulnerable to a modification attack and a replay attack [20]. Kim et al. proposed a scheme that resolves the security flaws found in Kuo and Lee s scheme [21]. However, this scheme requires shared encryption keys. The anti-phishing authentication (APA) protocol and anti-phishing protocol with mutual authentication (APPMA) also require encryption keys in the authentication phase [5, 6]. Gouda et al. proposed the single password protocol (SPP), which is secure against various attacks, including eavesdropping, message replay, and phishing [3]. In this protocol, a client can use the same ID and password on multiple web servers through the use of salted passwords. In SPP, it takes much more time for attackers to crack clients passwords because they cannot create pre-computed hash values of passwords. However, SPP is vulnerable to pharming attacks. 3. HASH-BASED PASSWORD AUTHENTICATION PROTOCOL 3.1 Vulnerability of SPP In this section, we describe SPP and analyze its vulnerability. The notations used in SPP are listed in Table 2 and the protocol is shown in Fig. 2. In this protocol, when C registers with S, C generates a random number n i and ticket verification information MD 2 (n i P S). This information is then sent to S, which it stores in the password file. Thereafter, when C tries to log on to S, S prompts C with the stored value, n i. C generates ticket MD(n i P S) for authentication, a new random number n i+1, and new ticket verification information MD 2 (n i+1 P S) and sends everything to S. S then authenticates C using the ticket verification information stored in the password file. If C is successfully authenticated, S replaces n i and MD 2 (n i P S) by n i+1 and MD 2 (n i+1 P S), respectively. Notation Table 2. SPP notation. Representation C Client S Server P Password remembered by client n, n i Random number MD() One-way hash function MD 2 () MD(MD()) Concatenation

6 6 IKSU KIM, YONGYUN CHO Fig. 2. SPP protocol. SPP is vulnerable to pharming attacks when an attacker is able to replace the IP address of a legitimate server with that of the malicious server on a DNS server. As shown in Fig. 3, when a client, C, tries to log on to the legitimate server, the identification information first passes through the malicious server, which forwards it to the legitimate server. The legitimate server responds by sending n i to the malicious server, which passes this on to the client, C. Now, the client C sends MD(n i P S) n i+1 MD 2 (n i+1 P S) to the malicious server, and the server has access to the login information. The attacker can now log on to the legitimate server using the information. 3.2 Registration Phase Fig. 3. Attack on SPP protocol. In this section, we present a hash-based password authentication protocol against phishing and pharming attacks over the Internet. In the proposed protocol, we first assume that clients choose secure passwords against brute force attacks and dictionary attacks. In other words, the passwords consist of at least eight random characters. On a standard computer keyboard, the character types include 10 numeric numbers, 26 lower-

7 HASH-BASED PASSWORD AUTHENTICATION PROTOCOL AGAINST PHISHING AND PHARMING 7 ATTACKS case characters, 26 uppercase characters, and 32 special characters. The number of combination for a password length of 8 digits is It would therefore potentially take years for an attacker to try every possible combination of letters, numbers, and special characters before discovering the correct one. Second, we assume that the proposed protocol is used with the Secure Sockets Layer (SSL) that provides communication security over the Internet. The reason for assuming so is because most servers, such as banking servers, server, and online shopping servers, are using the SSL for security. The SSL can prevent eavesdropping and tampering, but it is still vulnerable to man-in-the-middle attacks. In the proposed protocol, the SSL protocol runs before the registration phase begins, as follows: Step 1: A client s machine requests the registration page from a server. Step 2: The server sends its certificate to the client s machine. Step 3: The client s machine authenticates the server and generates a session key. Step 4: The client s machine encrypts the session key with the server s public key and sends the encrypted session key to the server. Step 5: The server decrypts the encrypted session key with its private key. Now the client s machine and server can securely send and receive messages, and the registration phase begins. The registration phase is shown in Fig. 4 and the notation used in this section is listed in Table 3. Table 3. Notation. Notation Representation ID Identity of client P Original password of client P Password submitted by client D Domain name of legitimate server D Domain name of fake server IP hs Source IP address in packet header IP s Server IP address IP c Client IP address N s Random nonce generated by server H() One-way hash function M c Verification message from client M s Verification message from server Concatenation Exclusive-or

8 8 IKSU KIM, YONGYUN CHO Fig. 4. Registration phase. When a client registers with a server, he determines an ID and password (P), and enters them into the registration form. Before ID and P are sent to the server, P is hashed with the salt value, D. Thereafter, ID and H(P D) are sent to the server, and the server stores the ID and H(P D) in the password file. 3.3 Authentication Phase The authentication phase is shown in Fig. 5. When a client tries to log on to the server, he inputs his ID and P into the input form for authentication. The client s machine sends only the ID to the server. If the ID exists in the password file on the server, the server generates N s, and computes N s H(P D) and H(P D) H(H(P D) IP s N s ). The server then sends (H(P D) H(H(P D) IP s N s )) (N s H(P D)) to the client s machine. Fig. 5. Authentication phase. Because the client s machine knows P and D, it can compute H(P D). After the

9 HASH-BASED PASSWORD AUTHENTICATION PROTOCOL AGAINST PHISHING AND PHARMING 9 ATTACKS client s machine computes H(P D), it extracts N s from N s H(P D) and computes H(P D) H(H(P D) IP hs Ns), where IP hs denotes the source IP address in the packet header. If H(P D) H(H(P D) IP hs N s ) is the same as H(P D) H(H(P D) IP s N s ) received from the server, the server is verified. This is because the same value for H(P D) H(H(P D) IP hs N s ) can only be computed by the server that knows H(P D). After the client s machine verifies the server, it computes H(P D) H(H(P D) IP c N s ) and sends the computed value to the server. Because the server knows H(P D), IP hs, and N s, it can compute H(P D) H(H(P D) IP hs N s ). If the computed value is the same as H(P D) H(H(P D) IP c N s ) received from the client s machine, the client s machine is verified. The same value for H(P D) H(H(P D) IP hs N s ) can only be computed by the client s machine that knows both H(P D) and N s. If the client s machine and the server are not verified by each other during the authentication phase, the authentication fails. In current situation of the Internet, NAT is widely used in various networks. In the proposed protocol, when a client and/or a server is in private networks, the IP c and/or the IP s have the external IP addresses of the client-side and/or the server-side NAT devices, respectively. Therefore, the proposed protocol can work well in private network environment. 4.1 Eavesdropping Attack 4. SECURITY ANALYSIS An eavesdropping attack is the act of secretly listening to the private conversation of others. On the Internet, an attacker listens to network communication and thus tries to steal a client s password. An eavesdropping attack is impossible when using the proposed protocol. An attacker cannot compute P and H(P D) from the verification messages H(P D) H(H(P D) IP s N s ) N s H(P D) and H(P D) H(H(P D) IP c N s ) exchanged between the client s machine and server. Although the attacker will know D, IP s, and IP c, because the verification messages are created by a one-way hash function and an exclusive-or operation, he cannot find out P and H(P D). Therefore the proposed protocol is secure against eavesdropping attack without using the SSL. 4.2 Message Modification Attack Sometimes, an attacker modifies the verification messages between a client and a server to find out the client s password or to gain unauthorized access. In the proposed protocol, all verification messages are created using a one-way hash function and an exclusive-or operation. Therefore, it is impossible to regenerate valid verification messages by modifying an existing message. Because the attacker cannot log on to the server without using valid verification messages, the proposed protocol is secure against message modification attacks without using the SSL. 4.3 Message Replay Attack

10 10 IKSU KIM, YONGYUN CHO A message replay attack is the act of intercepting the message and retransmitting it. An attacker listens to network communication and intercepts messages, which include verification information. The attacker then tries to log on to the server by replaying the verification messages. Let us assume that an attacker intercepted an ID and verification message, M c. After the attacker sends the ID, he replays the verification message, M c, in an attempt to log on to the server. In order to verify the client, the server computes H(P D) H(H(P D) IP hs Ns), and then compares the value with the verification message, M c. Because M c includes a random nonce, N s, it is a one-time message. Therefore, M c and H(P D) H(H(P D) IP hs N s ) are different to each other when the message replay attack occurs. As a result, the attacker cannot successfully execute a message replay attack. Therefore the proposed protocol is secure against message replay attacks without using the SSL. 4.4 Man-in-the-middle Attack A man-in-the-middle attack is the act of relaying messages between the victims, making them believe that they are sending messages directly to one another. Before relaying messages, an attacker sometimes forges the messages. When an attacker forwards the verification messages, M s and M c, exchanged between the client and server in the proposed protocol, because IP s and IP c are different from IP hs, the attacker cannot succeed with a man-in-the-middle attack. In order to generate valid verification messages by modifying IP s and IP c, the attacker has to know P or H(P D). As mentioned in Section 4.1, the attacker cannot establish the values of P and H(P D) from the verification messages, M s and M c. Therefore the proposed protocol is secure against man-in-the-middle attacks. 4.5 Malicious Server Attack In malicious server attacks, an attacker sets up a malicious server and lures clients to register with the server. If clients input their passwords on a fake HTML file, the attacker can read the passwords. In the proposed protocol, when a client registers with a server, he sends the ID and H(P D) to the server. If the client visits a malicious server impersonating a legitimate server, he sends ID and H(P D ), where D denotes the domain name of the malicious server. An attacker can read the values of ID and H(P D ), but cannot read H(P D). Here, H(P D ) cannot be used in the authentication phase on the legitimate server. Therefore, the proposed protocol is secure against malicious server attacks without using the SSL. 4.6 Phishing Attack In a phishing attack, an attacker sets up a fake server and sends a large number of spoofed s to random clients. If a recipient of the attempts to log on to the fake server, their IDs and passwords are exposed to the attacker. In the proposed protocol, when a client visits and tries to log on to a fake server, the client s machine only sends the

11 HASH-BASED PASSWORD AUTHENTICATION PROTOCOL AGAINST PHISHING AND PHARMING 11 ATTACKS ID to the server. The server must then send a verification message to the client. However, the fake server cannot generate the verification message, M s, because it does not know P or H(P D). Only if the client s machine successfully verifies the server using the verification message, M s, does it send the verification message, M c, to the server for verification. Therefore, the proposed protocol is secure against phishing attacks without using the SSL. 4.7 Pharming Attack In a pharming attack, although clients input the correct domain name of the legitimate server in a web browser, they are redirected to a fake server. In the same way as phishing attacks, when they try to log on to the fake server, their IDs and passwords are exposed to the attacker. In the proposed protocol, when a client tries to log on to the legitimate server, the client s ID is sent to the malicious server, and the server forwards it to the legitimate server. After that, the legitimate server sends the verification message, M s, back to the malicious server, and the malicious server forwards it to the client s machine. The client s machine computes H(P D) H(H(P D) IP hs N s ) and compares it to M s. Because the value of IP s that was used to generate M s is different from IP hs, the authentication phase fails. In order to create valid verification messages by modifying IP s, the attacker has to know P or H(P D). As mentioned in Section 4.1, the attacker cannot establish the value of P and H(P D) from the verification message. Therefore, the proposed protocol is secure against pharming attacks without using the SSL. 5. CONCLUSION As people spend more social and economic time on the Internet, the importance of protecting their privacy against attacks such as phishing and pharming attacks also increases. Currently, password authentication is the most common means of authentication on the Internet. Until now, although research has been conducted into possible countermeasures to phishing attacks, most of these methods require encryption keys during the authentication phase and are especially vulnerable to pharming attack. The summary of previous work is shown in Table 4. Table 4. Summary of previous work. Anti-phishing Requirement Drawback Browser extension and tool bar Black list file Cannot detect new phishing servers PwdHash Hash function Is vulnerable to pharming attacks SPS Contents filtering Is vulnerable to pharming attacks SpoofGuard Contents scanning Occasionally raises false alarm SPP Hash function and exclusive-or operation Is vulnerable to pharming attacks Authentication service by Huang et al. IM service Does not operate without using IM service

12 12 IKSU KIM, YONGYUN CHO APA Symmetric key Needs symmetric encryption APPMA Asymmetric key Needs public key operation In order to resolve this problem, we proposed a hash-based password authentication protocol. The proposed protocol is secure against a variety of attacks such as replay, man-in-the-middle, phishing, and pharming without using the SSL. Because the proposed authentication protocol does not use encryption keys during the authentication phase, it does not require high computational resources. Therefore the proposed protocol is suitable for wireless and mobile communication systems. The proposed protocol can be broadly adopted to develop secure applications against a variety of attacks in ubiquitous network environments. REFERENCES M. G. Gouda, A. X. Liu, L. M. Leung, M. A. Alam, SPP: An anti-phishing single password protocol, Computer Networks, Vol. 51, 2007, pp C. Y. Huang, S. P. Ma, K. T. Chen, Using one-time passwords to prevent password phishing attacks, Journal of Network and Computer Applications, Vol. 34, 2011, pp M. Sharifi, A. Saberi, M. Vahidi, M. Zorufi, A zero knowledge password proof mutual authentication technique against real-time phishing attacks, in Proceedings of the 3rd International Conference on Information Systems Security, 2007, pp M. Saeed, H. S. Shahhoseini, APPMA An anti-phishing protocol with mutual authentication, in Proceedings of the 15th IEEE Symposium on Computers and Communications, 2010, pp T. Y. Li, Y. Wu, Trust on web browser: attack vs. defense, in Proceedings of the 1st International Conference on Applied Cryptography and Network Security, 2003, pp reen-filter/ R. Dhamija, J. D. Tygar, Phish and HIPs: Human interactive proofs to detect phishing attacks, in Proceedings of the 2nd International Workshop on Human Interactive Proofs, 2005, pp M. Sharifi, S. H. Siadati, A phishing sites blacklist generator, in Proceedings of the 6th ACS/IEEE International Conference on Computer Systems and Applications, 2008, pp D. Miyamoto, H. Hazeyama, Y. Kadobayashi, SPS: A simple filtering algorithm to thwart phishing attacks, in Proceedings of the 1st Asian Internet Engineering Con-

13 HASH-BASED PASSWORD AUTHENTICATION PROTOCOL AGAINST PHISHING AND PHARMING 13 ATTACKS ference on Technologies for Advanced Heterogeneous Networks, 2005, pp N. Chou, R. Ledesma, Y. Teraguchi, J. C. Mitchell, Client-side defense against web-based identity theft, in Proceedings of the 11th Annual Network and Distributed System Security Symposium, B. Ross, C. Jackson, N. Miyake, D. Boneh, J.C. Mitchell, Stronger password authentication using browser extensions, in Proceedings of the 14th Conference on USENIX Security Symposium, 2005, pp M. Sandirigama, A. Shimizu, M. T. Noda, Simple and secure password authentication protocol (SAS), IEICE Transactions on Communications, Vol. E83-B, 2000, pp C. L. Lin, H. M. Sun, T. Hwang, Attacks and solutions on strong-password authentication, IEICE Transactions on Communications, Vol. E84-B, 2001, pp W. C. Kuo, Y.C. Lee, Attack and improvement on the one-time password authentication protocol against theft attacks, in Proceedings of the 6th International Conference on Machine Learning and Cybernetics, 2007, pp M. Kim, B. Lee, S. Kim, D. Won, Weaknesses and improvements of a one-time password authentication scheme, International Journal of Future Generation Communication and Networking, Vol. 2, 2009, pp Iksu Kim received the B.S., M.S., and Ph.D. in Computer Science from Soongsil University, South Korea, in 2000, 2002, and 2008, respectively. He worked at SKYCOM as a manager until Jan He is a professor of school of computing at Soongsil University from Sep He achieved the CISSP(Certified Information Systems Security Professional) certification in His research interests include system and network security. Yongyun Cho received his BE in Computer Science from Inchoen University, Korea, in And, he received his MS and PhD in Computer Engineering from Soongsil University, Korea, in 1998 and 2006, respectively. Currently, he is a Professor at Information and Communication Engineering, Sunchon University. His research interests include semantic web and web security.